OpenSSL is the reference toolkit for SSL/TLS certificate management, encryption, and cryptographic operations. Available on Linux, Windows, and macOS.
🔍 Certificate Verification
| 📌 Action | 🧠 Command |
|---|
| 📜 Display PEM certificate | openssl x509 -in cert.pem -text -noout |
| 📜 Display DER certificate | openssl x509 -in cert.cer -inform DER -text -noout |
| 🔑 Verify private key | openssl rsa -in key.pem -check |
| 📝 Display CSR | openssl req -in request.csr -text -noout |
| 📦 Verify PFX | openssl pkcs12 -in cert.pfx -info -noout |
| 📅 Validity dates | openssl x509 -in cert.pem -noout -dates |
| 🏷️ View subject | openssl x509 -in cert.pem -noout -subject |
| 🏢 View issuer | openssl x509 -in cert.pem -noout -issuer |
| 🔢 Serial number | openssl x509 -in cert.pem -noout -serial |
PEM ↔ DER
# PEM to DER
openssl x509 -in cert.pem -outform DER -out cert.der
# DER to PEM
openssl x509 -in cert.der -inform DER -out cert.pem
PEM ↔ PFX/P12
# PEM to PFX (certificate + key + chain)
openssl pkcs12 -export -out cert.pfx \
-inkey private.key \
-in cert.pem \
-certfile chain.pem
# PFX to PEM (extract everything)
openssl pkcs12 -in cert.pfx -out all.pem -nodes
# PFX to PEM (certificate only)
openssl pkcs12 -in cert.pfx -clcerts -nokeys -out cert.pem
# PFX to PEM (key only)
openssl pkcs12 -in cert.pfx -nocerts -nodes -out key.pem
RSA Keys
# Encrypted to unencrypted key
openssl rsa -in encrypted.key -out decrypted.key
# Unencrypted to encrypted key
openssl rsa -in key.pem -aes256 -out encrypted.key
🔑 Key and CSR Generation
| 📌 Action | 🧠 Command |
|---|
| 🔑 Generate RSA 2048 key | openssl genrsa -out key.pem 2048 |
| 🔑 Generate RSA 4096 key | openssl genrsa -out key.pem 4096 |
| 🔐 Encrypted RSA key | openssl genrsa -aes256 -out key.pem 2048 |
| 📝 Generate CSR | openssl req -new -key key.pem -out request.csr |
| ⚡ Key + CSR in one command | openssl req -new -newkey rsa:2048 -nodes -keyout key.pem -out request.csr |
CSR with SAN (Subject Alternative Names)
# Create a san.cnf config file
cat > san.cnf << EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
CN = example.com
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = example.com
DNS.2 = www.example.com
DNS.3 = api.example.com
EOF
# Generate CSR with SAN
openssl req -new -key key.pem -out request.csr -config san.cnf
📜 Self-Signed Certificates
# Simple self-signed certificate (1 year)
openssl req -x509 -nodes -days 365 \
-newkey rsa:2048 \
-keyout key.pem \
-out cert.pem \
-subj "/CN=example.com"
# Self-signed certificate with SAN
openssl req -x509 -nodes -days 365 \
-newkey rsa:2048 \
-keyout key.pem \
-out cert.pem \
-config san.cnf \
-extensions v3_req
🌐 Debug SSL/TLS Connections
| 📌 Action | 🧠 Command |
|---|
| 🔗 Test HTTPS connection | openssl s_client -connect example.com:443 |
| 📜 Display certificate | openssl s_client -connect example.com:443 -showcerts |
| 🔒 Force TLS 1.2 | openssl s_client -connect example.com:443 -tls1_2 |
| 🔒 Force TLS 1.3 | openssl s_client -connect example.com:443 -tls1_3 |
| 📧 Test SMTP STARTTLS | openssl s_client -connect mail.example.com:587 -starttls smtp |
| 📧 Test IMAP STARTTLS | openssl s_client -connect mail.example.com:143 -starttls imap |
| 🗄️ Test MySQL/MariaDB SSL | openssl s_client -connect db.example.com:3306 -starttls mysql |
Retrieve Server Certificate
# Download the certificate
echo | openssl s_client -connect example.com:443 2>/dev/null | \
openssl x509 -out server-cert.pem
# Download the full chain
echo | openssl s_client -connect example.com:443 -showcerts 2>/dev/null | \
sed -n '/-----BEGIN/,/-----END/p' > chain.pem
✅ Matching Verification
# Verify that key and certificate match
openssl x509 -noout -modulus -in cert.pem | openssl md5
openssl rsa -noout -modulus -in key.pem | openssl md5
# Both hashes must be identical
# Verify that CSR and key match
openssl req -noout -modulus -in request.csr | openssl md5
openssl rsa -noout -modulus -in key.pem | openssl md5
🔐 File Encryption
| 📌 Action | 🧠 Command |
|---|
| 🔒 Encrypt a file | openssl enc -aes-256-cbc -salt -in file.txt -out file.enc |
| 🔓 Decrypt a file | openssl enc -d -aes-256-cbc -in file.enc -out file.txt |
| 🔒 Encrypt with pbkdf2 | openssl enc -aes-256-cbc -salt -pbkdf2 -in file.txt -out file.enc |
📊 Hashing and Signatures
| 📌 Action | 🧠 Command |
|---|
| #️⃣ MD5 hash | openssl dgst -md5 file.txt |
| #️⃣ SHA256 hash | openssl dgst -sha256 file.txt |
| #️⃣ SHA512 hash | openssl dgst -sha512 file.txt |
| ✍️ Sign a file | openssl dgst -sha256 -sign key.pem -out sig.bin file.txt |
| ✅ Verify signature | openssl dgst -sha256 -verify pubkey.pem -signature sig.bin file.txt |
🏗️ Create a Private CA
1. Create Root CA
# Generate CA key
openssl genrsa -aes256 -out ca-key.pem 4096
# Create root certificate (10 years)
openssl req -new -x509 -days 3650 \
-key ca-key.pem \
-out ca-cert.pem \
-subj "/CN=My Private CA/O=My Company"
2. Sign a Certificate with the CA
# Create CSR for the server
openssl req -new -key server-key.pem -out server.csr
# Sign with CA (1 year)
openssl x509 -req -days 365 \
-in server.csr \
-CA ca-cert.pem \
-CAkey ca-key.pem \
-CAcreateserial \
-out server-cert.pem
🔧 Useful Commands
| 📌 Action | 🧠 Command |
|---|
| 📋 OpenSSL version | openssl version |
| 📋 Detailed version | openssl version -a |
| 🔐 List ciphers | openssl ciphers -v |
| 🎲 Generate password | openssl rand -base64 32 |
| 🎲 Generate random hex | openssl rand -hex 16 |
| 📝 Encode to base64 | openssl base64 -in file.bin -out file.b64 |
| 📝 Decode base64 | openssl base64 -d -in file.b64 -out file.bin |
🛠️ Common Troubleshooting
| 🆘 Problem | 🧠 Solution |
|---|
| ❌ “unable to load certificate” | Check format (PEM vs DER), try -inform DER |
| ❌ “key values mismatch” | Key and certificate don’t match |
| ❌ “certificate verify failed” | Expired certificate or incomplete chain |
| ❌ “wrong version number” | Wrong port or protocol (HTTP instead of HTTPS) |
| ❌ “no peer certificate” | Server doesn’t present a certificate |
| ❌ “self signed certificate” | CA not recognized, add to trust store |
Syspirit